In the previous chapter, you learned about TLS. In this chapter, you’ll build on top of that knowledge, literally. You’ll learn how HTTP sessions are implemented with cookies. You’ll also learn how to configure HTTP sessions in Django. Along the way, I’ll show you how to safely implement session-state persistence. Finally, you’ll learn how to identify and resist remote code-execution attacks and replay attacks.
HTTP sessions are a necessity for all but the most trivial web applications. Web applications use HTTP sessions to isolate the traffic, context, and state of each user. This is the basis for every form of online transaction. If you’re buying something on Amazon, messaging someone on Facebook, or transferring money from your bank, the server must be able to identify you across multiple requests.